powerpoint
TRANSCRIPT
![Page 1: PowerPoint](https://reader033.vdocuments.mx/reader033/viewer/2022052619/555ceab1d8b42a08668b471a/html5/thumbnails/1.jpg)
Software Security and Procurement
John Ritchie, DAS Enterprise Security Office
![Page 2: PowerPoint](https://reader033.vdocuments.mx/reader033/viewer/2022052619/555ceab1d8b42a08668b471a/html5/thumbnails/2.jpg)
2
Introduction
• What's my experience?– Not a procurement specialist– Information security, software,
vendors, procurement projects
• Why am I talking to you?– Describe procurement role in software
security
![Page 3: PowerPoint](https://reader033.vdocuments.mx/reader033/viewer/2022052619/555ceab1d8b42a08668b471a/html5/thumbnails/3.jpg)
3
Agenda
• Problem statement– Insecure applications– Procurement lever
• Procurement tools for security– RFP, contract
• Procurement scenarios– Considerations for different
procurement types
![Page 4: PowerPoint](https://reader033.vdocuments.mx/reader033/viewer/2022052619/555ceab1d8b42a08668b471a/html5/thumbnails/4.jpg)
4
What's the problem?
• Sea-change in “hacking”– Past: hobby hackers– Present: Internet crime wave– Future: cyber warfare
• Plus– poor programming practices– insecure, buggy applications
• Equals...
![Page 5: PowerPoint](https://reader033.vdocuments.mx/reader033/viewer/2022052619/555ceab1d8b42a08668b471a/html5/thumbnails/5.jpg)
5
What's the solution?
• No one solution, but...• Software vendor culture change
– Better education– Better development practices– Shift from “release it now, fix it later”
mentality
![Page 6: PowerPoint](https://reader033.vdocuments.mx/reader033/viewer/2022052619/555ceab1d8b42a08668b471a/html5/thumbnails/6.jpg)
6
How can we help?
• Leverage market forces– Customer expectations
• We don't accept defective cars, why should we accept defective software?
– Vendor competition– Exercise clout
• Incorporate software security requirements into procurement process
![Page 7: PowerPoint](https://reader033.vdocuments.mx/reader033/viewer/2022052619/555ceab1d8b42a08668b471a/html5/thumbnails/7.jpg)
7
What do you mean by “requirements?”
• Secure development practices– Personnel
• Background checks• Training
– Development processes• Secure coding• Configuration management
– Testing• Source code• Vulnerability testing
– Maintenance• Notification of updates• Patch testing• Tracking security issues
![Page 8: PowerPoint](https://reader033.vdocuments.mx/reader033/viewer/2022052619/555ceab1d8b42a08668b471a/html5/thumbnails/8.jpg)
8
Procurement tools for better security
• RFP process• Contract security language
![Page 9: PowerPoint](https://reader033.vdocuments.mx/reader033/viewer/2022052619/555ceab1d8b42a08668b471a/html5/thumbnails/9.jpg)
9
Tools: RFP process
• Security requirements definition– Security features: be explicit– Vendor security practices
• Software development• Software maintenance• Security responsiveness
– Which ones are mandatory and which ones are desirable?
• Compare responses
![Page 10: PowerPoint](https://reader033.vdocuments.mx/reader033/viewer/2022052619/555ceab1d8b42a08668b471a/html5/thumbnails/10.jpg)
10
Vendor Security Practices
• Software development– Is security integrated into the SDLC?– What training do developers get?
• Software maintenance– Why and when are patches released?– How are customers notified?
• Security responsiveness– Proactive or reactive?– What mechanisms for bug reporting and
response?
![Page 11: PowerPoint](https://reader033.vdocuments.mx/reader033/viewer/2022052619/555ceab1d8b42a08668b471a/html5/thumbnails/11.jpg)
11
Tools: Contract Language
• Incorporates software security requirements into legal agreement
• Growing movement• Requires clout• Reinforced by regulations
– Payment Card Industry (PCI), Oregon Consumer Identity Theft Prevention Act (OCITPA)
![Page 12: PowerPoint](https://reader033.vdocuments.mx/reader033/viewer/2022052619/555ceab1d8b42a08668b471a/html5/thumbnails/12.jpg)
12
Sample Language: New York State
• Sample application security procurement language– http://www.sans.org/appseccontract/
• Covers all areas of software security responsibility
• Meeting resistance from software industry
![Page 13: PowerPoint](https://reader033.vdocuments.mx/reader033/viewer/2022052619/555ceab1d8b42a08668b471a/html5/thumbnails/13.jpg)
13
Procurement Security Considerations
• Differ based on type of procurement– Software purchase
• Commercial Off-The-Shelf (COTS)• Custom development
– Outsourcing of services• Not just software
– Software as a service• e.g. TurboTax Online
• Disclaimer: these lists are not exhaustive!
![Page 14: PowerPoint](https://reader033.vdocuments.mx/reader033/viewer/2022052619/555ceab1d8b42a08668b471a/html5/thumbnails/14.jpg)
14
COTS Software
• Clout is key– Big markets: U.S. Government?
• Security requirements definition in RFP is important– Possible product differentiator
• Contract security language– Growing role
• Major vendors starting to “see the light”
![Page 15: PowerPoint](https://reader033.vdocuments.mx/reader033/viewer/2022052619/555ceab1d8b42a08668b471a/html5/thumbnails/15.jpg)
15
Custom Software
• Software security and vendor requirements need to be specific and detailed
• Education may be necessary• Possible vendor differentiator• Ongoing patching and support is
important
![Page 16: PowerPoint](https://reader033.vdocuments.mx/reader033/viewer/2022052619/555ceab1d8b42a08668b471a/html5/thumbnails/16.jpg)
16
Outsourcing
• Services and hosting as well as software
• Define security goals and policies• Ensure outsourcing maintains the
same level of compliance• Beware of sub-outsourcing
![Page 17: PowerPoint](https://reader033.vdocuments.mx/reader033/viewer/2022052619/555ceab1d8b42a08668b471a/html5/thumbnails/17.jpg)
17
Software as a service
• Who controls the data?
• Is security adequate for all types of data?– Map to data classification
• Ensure service maintains compliance with policies and security goals
• Don't forget e-Discovery
![Page 18: PowerPoint](https://reader033.vdocuments.mx/reader033/viewer/2022052619/555ceab1d8b42a08668b471a/html5/thumbnails/18.jpg)
18
Challenges
• Procurement complexity• Lack of expertise• Vendor resistance• Software cost
![Page 19: PowerPoint](https://reader033.vdocuments.mx/reader033/viewer/2022052619/555ceab1d8b42a08668b471a/html5/thumbnails/19.jpg)
19
Summary
• Trend pushing security responsibility toward software vendors
• We will see more of:– Detailed security practices specified in
RFPs– Security practices agreement in
contracts
![Page 20: PowerPoint](https://reader033.vdocuments.mx/reader033/viewer/2022052619/555ceab1d8b42a08668b471a/html5/thumbnails/20.jpg)
20
Further Reading
• NY sample procurement contract language– http://www.sans.org/appseccontract/
• OWASP Secure Software Contract Annex– https://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex
• BITS Financial Services Roundtable Software Security Toolkit – includes sample procurement language and sample business requirements
– http://www.bits.org/downloads/Publications Page/bitssummittoolkit.pdf
• This presentation is available under “Presentations” on the ESO website:
– http://www.oregon.gov/DAS/EISPD/ESO/Pub.shtml